Serving Industries Worldwide

Innovative Ways - Satisfied Clientele

OWASP Vulnerability: Security Misconfiguration

iFour Team - 4 Aug 2017

Today’s web application is much more complex than they were in the past. These applications developed by web development companies have numerous layers due to which it increases the surface for any potential attack. During the development, deployment, ongoing use, and maintenance process of the web application, it is very important that proper security safeguards are kept by software development companies to reduce any potential ends for exploitation. We need to ensure that the security settings are configured and are checked frequently to protect an organization’s assets.

HOW CAN THE VULNERABILITY BE COMPROMISED?

As security misconfiguration is a broad category it is one of the common vulnerabilities found in web applications and are hence very easily manipulated too. Web applications are built on multiple layers and hence making mistakes in the configuration in one of the layers is quite common.

The vulnerability can be compromised in the following ways:

Application server allows stack traces to be returned to the users, specially displays error messages which relieve extra information about the details of the system.

Application servers comes with sample apps that are not secured and if these are not removed from the production server that will result in compromising the server.

If the directory listing is not disabled on server and if the attacker gains access on the same then the attacker can very easily list directories and execute it.

It is also possible to gain access to the actual code which has all the custom code.

How you can discover security misconfigurations

First you need to start looking over the system.

Are there any default accounts there? If yes then are their passwords changed regularly

If it is possible to put better security in the framework, are those possibilities chosen?

Does the error message reveal confidential information to the users?

Is there any unnecessary features included which can be removed?

AFFECTED ITEMS AND SEVERITY

Affected items: Server

Severity: High

The impact to the application varies and it depends on the nature of the misconfiguration.

DESCRIPTION

It is the fifth most critical web application security risk according to OWASO Top ten lists.

Security misconfiguration is nothing but incorrectly assembling the safeguards of the web application. Such risks occur when holes are left open in the framework by the developers, DBAs or the administrator. This can occur at any level such as web server, application server, platform, database, custom code or frameworks etc. Such misconfigurations can guide the hacker into the system and this could result in partial or total compromised system.

RECOMMENDATIONS TO MITIGATE THE RISKS (AVOID/ REDUCE/ TRANSFER THE RISKS)

Security misconfiguration is very easily exploitable but there are number of ways to prevent them. The developers should work with the administrators to make sure that the stack is properly configured.